From 90dc7f853d31b0a4e9441cba97feccf36d8b69a4 Mon Sep 17 00:00:00 2001 From: Aurelien David <aurelien.david@telecom-paristech.fr> Date: Tue, 6 Mar 2018 11:23:31 +0100 Subject: [PATCH] fix some exploitable overflows (#994, #997) --- include/gpac/tools.h | 1 + src/isomedia/avc_ext.c | 2 ++ src/media_tools/av_parsers.c | 4 ++++ 3 files changed, 7 insertions(+) --- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/include/gpac/tools.h +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/include/gpac/tools.h @@ -999,6 +999,7 @@ void gf_fm_request_call(u32 type, u32 pa } #endif +#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0])) #endif /*_GF_CORE_H_*/ --- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/media_tools/av_parsers.c +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/media_tools/av_parsers.c @@ -2160,6 +2160,10 @@ s32 gf_media_avc_read_sps(const char *sp sps->offset_for_non_ref_pic = bs_get_se(bs); sps->offset_for_top_to_bottom_field = bs_get_se(bs); sps->poc_cycle_length = bs_get_ue(bs); + if (sps->poc_cycle_length > ARRAY_LENGTH(sps->offset_for_ref_frame)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n")); + goto exit; + } for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs); } if (sps->poc_type > 2) {